A new variant of the nefarious Zeus banking trojan – dubbed ZeusVM – is concealed in JPG image files, according to the collaborative findings of Jerome Segura, senior security researcher with Malwarebytes, and French security researcher Xylitol.
The act is known as steganography – concealing messages or images in other messages or images.
In the case of ZeusVM, the malware’s code is hidden in unassuming JPG images, a Monday blog post by Segura revealed. These photos serve as misdirection for ZeusVM to retrieve its configuration file.
“The JPG contains the malware configuration file, which is essentially a list of scripts and financial institutions – but doesn’t need to be opened by the victim themselves,” Segura told SCMagazine.com in a Tuesday email correspondence. “In fact, the JPG itself has very little visibility to the user and is largely a cloaking technique to ensure it is undetected from a security software standpoint.”
Being infected by ZeusVM trojan allows for man-in-the-middle and man-in-the-browser attacks, Segura said, adding that visiting certain URLs, such as banking websites, will cause the trojan to respond and begin interacting in real-time.
This means attackers can obtain certain information by altering a login page using webinjects, or they could perform wire transfers while altering the victim’s account balance to make it seem like funds were never moved, Segura said.
Meanwhile, the ZeusVM main executable, buried deep within the computer, is communicating with the command-and-control server, Segura said, adding it reactivates every time the system reboots.
“This piece of malware can be distributed in many different ways, but most typically through phishing emails or a web-based attack,” Segura said, explaining the malware could also be spread via malvertising, which involves websites hosting ads that spread malware.
To show the difference between an original image and a compromised image, Segura, in his blog post, placed two seemingly identical JPGs side by side. When viewed in bitmap mode and in hexadecimal viewer, the added bits of malicious code were noticeable.
“To make identification more difficult, the appended data is encrypted with Base64, RC4 and XOR,” Segura wrote in the post. “To decode it you can reverse the file with a debugger such as OllyDbg and grab the decryption routine. Alternatively, you can use the leaked Zeus source code to create your own module that will decompress the data blocks.”